Detecting C&C Server Communications – Context is Key

Detecting C&C Server Communications – Context is Key

By now, the concept of the cyber Attack Chain (or kill chain) is widely accepted as a way to understand and deal with threats. Just to refresh your memory, here is Gartner’s take:


Source: Gartner

As you can see, the first thing that malware does once it’s established on the network is call home – reach out to a C&C server. C&C are famous for controlling botnets, but they are essential for any multi-stage attack. For example, ransomware calls a control server to obtain a unique encryption key.

As we discussed in our last post, to detect complex attacks, you need to monitor and analyze information across attack vectors (like web, email and files), the attack chain, and the IT infrastructure. We’ll talk more about this later but for now, let’s focus on how to effectively detect C&C communications.

Blacklists are Not Enough

Many security solutions handle command servers by blocking a list of domains with a bad reputation. Thanks to growing cooperation in the industry, a lot of information about C&C servers is available in threat repositories, and products like firewalls download updates to maintain their blacklists.

The limitation of this approach is, of course, that the server has to be known in order to block it. Hackers deal with this by maintaining networks of servers that constantly “jump” domains. Blacklisting can help block opportunistic malware that preys on poorly protected businesses. But it will not help to prevent or detect a targeted attack, since the server simply will not be on the list.

Machine Learning – Pros and Cons

Rather than relying on signatures, Network Traffic Analysis solutions actively look for suspicious activity. They continuously monitor the network and use machine-learning algorithms to detect suspicious or abnormal traffic behavior that could indicate unknown threats.
Monitoring network traffic involves massive amounts of data, and machine learning is the most effective and sustainable way of analyzing it. Another advantage is that the algorithms can improve over time.
However, machine learning has some limitations when it comes to security applications. The first is false positives. Whether it’s because of a new, benign behavior, lack of domain context, or margins of error, some machine predictions will inevitably be wrong. (Current events demonstrate that humans are not awfully good at predictions either!) On top of that, since machine learning tools do not rely on rules, it is often hard to understand the context and rationale behind the alerts they generate. Finally, many solutions only run in retrospective batch mode, while others require an extensive learning period – both of which result in a delay before you see results.

Machine Learning – Our Way

Verint Threat Protection System uses machine learning to detect C&C channels over internet access protocols such as HTTP, HTTPS or DNS. By combining domain knowledge and supervised learning to analyze malware and its network behavior, the Verint system increases the detection rate, lowers false positives and provides contextual metadata to make it easier to understand alerts. Self-tuning and reinforced learning mechanisms improve results over time by integrating feedback from human analysts. Network traffic is inspected in real time, at scale, to avoid delays in detection. The system also provides models and domain knowledge out of the box that are designed to minimize initial training time while effectively and frequently self-tuning.

A Holistic Approach – The Key to Successful C&C Detection

Ultimately, no matter how good it is, any network detection technology only sees a small part of the attack chain. When it spots an anomaly or suspicious behavior, it has no way to gather information from other security products (that monitor endpoint or payload, for example) in order to confirm it. The result is a lot of false alarms and so much information that you can’t analyze it all.
Verint Threat Protection System delivers integrated, multi-dimensional detection across the network, endpoints and files, continuously cross-referencing leads from each stage in the attack chain to build complete incident storylines. It includes pre-integrated detection sensors for network traffic, C&C communication, lateral movement, files and endpoints that work together as a team to detect intruders as early as possible.


Learn more about how the Verint Threat Protection System detects C&C in our recent post about the SpamTorte botnet and watch this short demo video to see the system in action.


Author: Israel Aloni